I think we are mixing two different things here and it’s worth pulling them apart to make things clearer.
There is an element of you are going after a very specific system or set of systems but they are all air gapped and you need to find a way to get your malware onto those systems somehow.
This part is actually how you describe it more or less. The plan was basically: spread everywhere you can but only do so if you are confident for some reason that you’re on a system belonging to the target country (I.e Iran) and if anyone ever sticks in a USB key to one of those systems you should take that as an opportunity to cross the air gap because people are sloppy and mistakes happen.
So in that sense, yeah it is somewhat true, that’s literally the strategy they used to get where they needed to go. However, the controls they had around it I think were also reasonable. I fully expect the NSA and Mossad (who would later somewhat fuck up the operation) to be doing exactly that and I think it’s consistent with their job.
The second part is the “actually malicious” payload. That had an entirely different set of checks and balances in place to make sure it wasn’t fucking up unreleated systems along the way but just using them as a launch point.
That full context I think still firmly fits my original definition that unless you’re actively on a target list for some reason you have no reason to view NSA malware as something you should have on your threat model. Not sure if you agree or not?
You're ignoring the 1000 systems damaged by stuxnet that had nothing to do with the Iran nuclear program? All of those people would view stuxnet as malware, and would want there AV to target it.
And that's forgetting that no matter how specific the NSA supposedly was, after launching their malware other groups will copy it, so an AV provider will need to view NSA malware as a threat model.
Plus, your original definition assumes the NSA either doesn't make mistakes, or an AV company shouldn't try to clean up their mistakes, both of which are nonsense
I think we are hung up on the term “damaged” here maybe.
1000s of computers did indeed have malware on them. That’s true.
The malware was intentionally designed to do nothing other than trying to cross the airgap to where it was actively trying to go.
This is the entire reason I just explained why when you say “stuxnet infected thousands of machines” that you’re actually talking about a couple of different things here as though they were one.
The nuance in this particular debate matters quite a lot and I don’t think ignoring it for the sake of convenience is helpful.
The Wikipedia article I linked mentions far more computers getting infected, and approximately 1000 systems being damaged. That's in line with what I've read about the program over the past decade, though my thirty seconds of research can't find more evidence.
If it only damaged the one system it was supposed to be targeting, why would we ever have heard of it?
There’s a few reasons but a General from STRATCOM leaked it from memory being a major one and I generally think there was probably a bit of a messaging component going on there where the US wanted to flex both in terms of their capabilities but also as to what they considered to be “norms” in the cyber context.
I.e here is an example of what we consider to be legitimate use to compare and contrast with say North Korea’s Sony hack.
But also it lost a lot of its value as a secret once it was already done.
There is an element of you are going after a very specific system or set of systems but they are all air gapped and you need to find a way to get your malware onto those systems somehow.
This part is actually how you describe it more or less. The plan was basically: spread everywhere you can but only do so if you are confident for some reason that you’re on a system belonging to the target country (I.e Iran) and if anyone ever sticks in a USB key to one of those systems you should take that as an opportunity to cross the air gap because people are sloppy and mistakes happen.
So in that sense, yeah it is somewhat true, that’s literally the strategy they used to get where they needed to go. However, the controls they had around it I think were also reasonable. I fully expect the NSA and Mossad (who would later somewhat fuck up the operation) to be doing exactly that and I think it’s consistent with their job.
The second part is the “actually malicious” payload. That had an entirely different set of checks and balances in place to make sure it wasn’t fucking up unreleated systems along the way but just using them as a launch point.
That full context I think still firmly fits my original definition that unless you’re actively on a target list for some reason you have no reason to view NSA malware as something you should have on your threat model. Not sure if you agree or not?